Peter A Clarke

It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application.  It is also covered by 9 News and Reuters.  If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.

Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”.  Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.  

The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.

HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.

There is quite a bit of supposition in that assessment.  It is not possible to know whether the injunction performed that role.  There has been no reported contempt of court proceedings for breaching the injunction.  It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced.  How to monitor on line rubber necking is another issue.  If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult.  That said injunctive relief is now part of the response in large scale data breaches.  

It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition.  There is reference to exemptions.  That is an important issue when seeking such orders.  It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court.  Clearly not an intended consequence.

The Australian story provides:

The move comes as Qantas revealed it was “aware of increased reports of scammers impersonating the airline” and urged customers to remain vigilant.

As yet there has been no evidence that any of the stolen data has been released on the dark web, and Qantas is continuing to monitor those sites with the help of specialist cyber security experts.

In the meantime, Qantas has obtained an interim injunction in the Supreme Court of NSW in an effort to further protect those caught up in the breach.

The injunction is intended to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.

Affected customers have been informed about what details were on the platform in question, ranging from names, addresses and birthdates to frequent flyer information.

Some people also had their meal preferences and gender stored on the breached database.

A statement issued by Qantas said the company “wanted to do all it could to protect customers’ personal information”.

“We believe this was an important next course of action,” the statement said.

“Qantas continues to work closely with the Australian Federal Police, the National Cyber Security Co-ordinator and the Australian Cyber Security Centre, to thoroughly investigate this criminal activity.”

The airline again emphasised that no credit card details, personal financial information or passport details were stored in the compromised system.

Passwords, PINs and login details were also not accessed or compromised.

Qantas previously revealed a “potential cyber criminal” had made contact with the airline in relation to the cyber attack, which followed an “interaction” with the Manila call centre.

It is unknown if any ransom demands were made in relation to the data, which cyber experts have suggested is sufficient for social engineering scams targeting individual customers.

Those affected are advised to remain vigilant to any requests for further data, either by phone, text or email.

Qantas said it was “aware of increased reports of scammers impersonating the airline and recommended customers remained alert for unusual communications claiming to be from Qantas”.

“Qantas will never contact customers requesting passwords, booking reference details or sensitive login information,” the statement said.

“Affected Customers can continue to access the dedicated support line on 1800 971 541 or +61 2 8028 0534.”

The Reuters story provides:

Australia’s Qantas Airways said on Thursday it has obtained an interim injunction in the New South Wales (NSW) Supreme Court to prevent the stolen data from being accessed or published by anyone, including by any third parties.

The 9 News article is interesting in setting out the PR angle that Qantas has clunkily applied over time.  The story provides:

The accounts of 5.7 million Qantas customers were compromised in a data breach of one of the airline’s call centres on June 30.

The data affected varied from person to person but included a combination of business and residential addresses of 1.3 million accounts, the phone numbers attached to 900,000 accounts, and dates of birth connected to 1.1 million accounts.

The majority of the compromised data included customer records limited to the names, addresses, and Frequent Flyer details of customers.

The airline has confirmed that there was no evidence of any personal data being released, and no credit card or passport details or personal financial information had been accessed.

Further, no passwords, PINs and login details of Frequent Flyer accounts were compromised, with the airline stating the stolen data wasn’t enough to access accounts.

Qantas was on Thursday granted an interim injunction in the NSW Supreme Court in an attempt to stop the data from being accessed or released.

“In an effort to further protect affected customers, the airline has today obtained an interim injunction in the NSW Supreme Court to prevent the stolen data from being accessed, viewed, released, used, transmitted or published by anyone, including by any third parties,” a Qantas statement read.

“We want to do all we can to protect our customers’ personal information and believe this was an important next course of action.”

Qantas Group chief executive officer Vanessa Hudson last week said the airline was informing customers of what data was in the compromised system and providing advice on support services.

“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible,” Ms Hudson said.

“Since the incident, we have put in place a number of additional cybersecurity measures to further protect our customers’ data and are continuing to review what happened.

“We remain in constant contact with the National Cyber Security Co-ordinator, Australian Cyber Security Centre and the Australian Federal Police. I would like to thank the various agencies and the federal government for their continued support.”

Affected customers are able to call the dedicated support line on 1800 971 541, or 02 8028 0534.

“This service remains available 24/7 and customers have access to specialist identity protection advice and resources through this team,” Qantas said in a statement.

Customers have been urged to remain vigilant, particularly with any email, texts and phone calls that purport to be from Qantas, and to not provide online account passwords or any personal or financial information.

“We are aware of increased reports of scammers impersonating Qantas. We recommend customers remain alert for unusual communications claiming to be from Qantas or requesting personal information or passwords,” a Qantas statement read.

“Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.”

Additionally, customers were advised to contact Scamwatch if they believed they had been targeted by scammers.